Cybersecurity Chapter 1
Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?
- A project manager, who may be a departmental line manager or staff unit manager, would lead a security team. - The approach to security should be more managerial than technical, although the technical ability of the resources who perform day-to-day activities is critical
Describe the critical characteristics of information. How are they used in the study of computer security?
- Accuracy, an attribute of information that describes how data is free from errors and has the value that the users expects. - Authenticity, an attribute of information that describes how data is genuine or original rather than reproduced or fabricated. - Availability, an attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction. - Confidentiality, an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. - Integrity, an attribute of information that describes how data is whole, complete, and uncorrupted. - Personally Identifiable Information (PII), a set of information that could uniquely identify an individual. - Possession, an attribute of information that describes how the data's ownership or control is legitimate or authorized. - Utility, an attribute of information that describes how data has value or usefulness for an end purpose. - The value of information comes from the characteristics it possesses.
Who is ultimately responsible for the security of information in the organization?
- Chief Information Security Officer (CISO), typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO.
How has computer security evolved into modern information security?
- Computer security consisted of securing a system's physical location with badges, keys, and facial recognition. To ensure total security, the information itself, as well as the hardware used to transmit and store it, needed to be protected. Information security developed from this need.
What are the three components of the C.I.A. triad? What are they used for?
- Confidentiality, an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. Information should only be accessible to its intended recipients. - Integrity, an attribute of information that describes how data is whole, complete, and uncorrupted. Information should arrive the same as it was sent. - Availability, an attribute of information that describes how data is accessible and correctly formatted for use without interferences or obstruction. Information should be available to those authorized to use it.
How can the practice of information security be described as both an art and a science? How does the view of security as a social science influence its practice?
- First, information security is a science because it requires various kinds of tools and technologies used for technical purposes. - Second, information security is also an art because there are no clear-cut rules for how to install various security mechanisms.
What system is the predecessor of almost all modern multiuser systems?
- MULTICS, Multiplexed Information and Computing Service, was a mainframe, time-sharing operating system developed in the mid 1960's by (GE), Bell Labs, and (MIT) and was the first operating system to integrate security into its core functions.
What is the relationship between the MULTICS project and the early development of computer security?
- MULTICS, or Multiplexed Information and Computing Service, was the first operating system created with security as its primary goal. It was a mainframe, time-sharing operating system developed through a partnership among GE, Bell Labs, and MIT. Much of the early focus for research on computer security was centered on this system.
Why is a methodology important in the implementation of information security? How does a methodology improve the process?
- Methodology is important in the implementation of information security because it ensures that development is structured in an orderly, comprehensive fashion. The methodology unifies the process of identifying specific threats and the creation of specific controls to counter those threats into a coherent program. - First, it entails all the rigorous steps for an organization's employees to follow. Second, a methodology increases the probability of success. - Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Once a methodology has been adopted, the key milestones are established, and a team is selected and made accountable for accomplishing the project goals.
What type of security was dominate in the early years of computing?
- Physical Security, policies dealing with hardware as a physical asset and with the protection of physical assets from harm or theft. E.g. locks, keys, access restrictions to and interaction with the hardware components of an information system. - During the early years, information security was a straightforward process composed predominantly of physical security and simple document classification schemes.
Why is the top-down approach to information security superior to the bottom-up approach?
- Project is initiated by upper-level managers who issues: policy, procedures, and processes, dictate goals, determine accountability. - This approach has strong upper management support, a dedicated champion, usually dedicated funding, a clear planning and implementation process, and the means of influencing organizational culture. The most successful kind of top-down approach also involves a formal development strategy referred to as a systems development life cycle.
Which paper is the foundation of all subsequent studies of computer security?
- RAND Report R-609, was the first widely recognized published document to identify the role of management and policy issues in computer security. It attempted to define the multiple controls and mechanisms necessary for the protection of a computerized data processing system.
What was important about RAND Report R-609?
- RR609 was the first widely recognized published document to identify the role of management and policy issues in computer security.
Identify the six components of information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
- Software, of an Information System includes applications (programs), operating systems, and assorted command line utilities. - Hardware, hardware is the physical technology that houses and executes the software, stores and transports the data, and provides interfaces for the entry and removal of information from the system. - Data, data stored, processed, and transmitted by a computer system must be protected. Data is often the most valuable asset of an organization and therefore is the main target of intentional attacks. - People, Though often overlooked in computer security considerations, people have always been a threat to information security. - Procedures, are written instructions for accomplishing a specific task. - Networks, is the Information System component that created much of the need for increased computer and information security. - People would be affected most by the study of computer security. People can be the weakest link in an organization's information security program. - Hardware and software are the components that are historically associated with the study of computer security. However, networking is the component that created much of the need for increased computer and information security.
If the C.I.A. triad is incomplete, why is it so commonly used in security?
- The C.I.A. triad has been the standard for computer security in both industry and government since the development of the mainframe. The security of the characteristics is as important today as it has always been. It addresses the fundamental concerns with the vulnerability of information security systems.
Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?
- The CIO(Chief information officer) decides how and when data in an organization will be used or controlled. - The VP-IT (Vice president of information technology) is responsible for seeing these wishes are carried out
How is infrastructure protection (assuring the security of utility services) related to information security?
- The availability of information assets is dependent on having information systems that are reliable and that remain highly available
What is the difference between a threat agent and a threat?
- Threat Agent, the specific instance or a component of a threat, the facilitator of an attack, e.g. a hacker - Threat, any event or circumstance that has the potential to adversely affect operations and assets, a constant danger to an asset.
Which members of an organization are involved in the security systems development life cycle? Who leads the process?
- Upper Management - The process is usually led by a senior executive, sometimes called the champion, who promotes the project and secures its financial, administrative and company-wide backing. A project manager is assigned the task of managing the project.
What is the difference between a vulnerability and exposure?
- Vulnerability, a potential weakness in an asset or its defensive control system(s), a fault within the system leaving things open to an attack or damage. e.g. a flaw in software or unprotected system port. - Exposure, a condition or state of being exposed; in information security, exposure exists when a vulnerability is known to an attacker, is a single instance when a system is open to damage, vulnerabilities can in turn be the cause of exposure.